All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_aws initial_scan_datetime not being honored

pkeller
Contributor
‎06-07-2018 10:44 AM

We're trying to grab cloudtrail datasources from AWS using the Splunk_TA_aws and even though the documentation says that initial_scan_datetime should be configured as a relative time (per: https://docs.splunk.com/Documentation/AddOns/released/AWS/S3 ) .. the UI configuration rejects that format.

And when we try to enter a specific date/time ... ie:

 initial_scan_datetime = 2018-04-01T00:00:00Z

... Splunk still starts trying to collect data as far back as it exists ... ( in our case: 2016 )

We've also tried: (per the S3 documentation page )

 initial_scan_datetime = -7d@d

And that also fails.

Are we configuring the inputs incorrectly, or is this a bug.

Tags (1)
Reply

soumyasaha25
Contributor
‎06-18-2018 01:45 AM

the initial_scan_datetime cannot be edited once the input is created, maybe you are facing challenges because of this.

As per Splunk documentation: The add-on starts to collect data later than this time. If you leave this field empty, the default value is 90 days before the input is configured.
Note: Once the input is created, this value cannot be changed.

Can you try the following:
delete/move the S3 bucket -> remove the stanza from your inputs.conf -> add your settings for initial_scan_datetime in the inputs.conf -> restart splunk services (config changes will only be capture after a restart) -> add the S3 bucket again in the monitored location.

Do let me know if this works. Also, since its been a while that you have posted this question, you might have figured out a solution, in that case do let me know what had fixed this issue (even if it is an temporary solution).

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...